>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.15System and Communications Protection - Derived

Derived Requirement

>Control Description

Protect the authenticity of communications sessions.

>Discussion

Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. [SP 800-77], [SP 800-95], and [SP 800-113] provide guidance on secure communications sessions.

>Cross-Framework Mappings

CMMC

SC.L2-3.13.15
Compare

SCF

NET-09
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address system and communications protection - derived for CUI systems?
  • Who is accountable for implementing and maintaining system and communications protection - derived controls?
  • How frequently are system and communications protection - derived requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with system and communications protection - derived requirements?
  • How are exceptions to system and communications protection - derived requirements documented and approved?

Technical Implementation:

  • What technical controls enforce system and communications protection - derived in your CUI environment?
  • How are system and communications protection - derived controls configured and maintained across all CUI systems?
  • What automated mechanisms support system and communications protection - derived compliance?
  • How do you validate that system and communications protection - derived implementations achieve their intended security outcome?
  • What compensating controls exist if primary system and communications protection - derived controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves system and communications protection - derived is implemented and operating effectively?
  • Can you provide configuration evidence showing how system and communications protection - derived is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing system and communications protection - derived compliance?
  • Can you show evidence of a recent review or assessment of system and communications protection - derived controls?
  • What artifacts would you provide to a CMMC assessor to demonstrate system and communications protection - derived compliance?

Ask AI

Configure your API key to use AI features.